Address resource management - Virtual Private Cloud - Alibaba Cloud Documentation Center

Building on unified address planning, IP Address Manager (IPAM) supports address resource management and resource monitoring:

Allocate resources from address pools: Allocate IP addresses that comply with business rules to VPCs from planned address pools. This helps implement unified address allocation within your enterprise.
Discover global address resources: Use resource discovery to find resources within the applicable scope and view address utilization and overlaps.
Monitor resources: Use the IP address monitoring feature for more effective resource planning and allocation. This helps ensure network stability and security.

Allocate addresses from planned address pools

During address planning, you can allocate a planned CIDR block from a top-level pool to a sub-pool. You can also perform the following operations:

VPC CIDR block allocation: When you allocate a primary or secondary CIDR block to a VPC, IPAM ensures that the allocated CIDR blocks do not overlap. This prevents address conflicts when VPCs are interconnected.
Hybrid cloud and multicloud address reservation: Create a custom allocation to reserve CIDR blocks for services in data centers or on other clouds. This ensures that the CIDR blocks are not allocated to cloud resources on Alibaba Cloud and prevents conflicts during network connectivity.

After a network administrator shares a planned IPAM pool with a business account (the principal), the business account can use the shared address pool to allocate an address to a VPC or create a custom allocation.

Console

Before you begin, make sure that you have created an IPAM instance and an IPAM pool.

Allocate a CIDR block to a VPC

Create a VPC with IPAM:
1. Go to the Create VPC page in the VPC console.
2. Select Allocated by IPAM, select an IPv4 address pool, and then configure a mask. The system allocates the first available CIDR block within the specified mask range by default. You can adjust the allocated IPv4 CIDR block within the provisioned CIDR block of the address pool.
3. To enable IPv6, select IPv6 CIDR block allocated by IPAM, select an IPv6 address pool, and then configure an address mask or specify a CIDR block.
Add a secondary CIDR block to an existing VPC:
1. Add an IPv4 CIDR block: On the details page of the target VPC, click the CIDR Block Management tab. Then, click Add Secondary IPv4 CIDR Block. Choose Allocated by IPAM, select an IPv4 pool, and configure a mask. The system allocates the first available CIDR block within the specified mask range by default.
2. Add an IPv6 CIDR block: If IPv6 is not enabled for the VPC, click Enable IPv6. If IPv6 is enabled, click Add Secondary IPv6 CIDR Block. Select Allocated by IPAM, select an IPv6 address pool, and then configure an address mask or specify a CIDR block.

Create a custom allocation

Before you create a custom allocation, make sure that a CIDR block is provisioned for the target address pool.

Go to the IPAM console - IPAM Pool page. In the top navigation bar, select the region where the target address pool is located.
Click the ID of the target address pool or click Manage in the Actions column. On the Allocation tab, click Create Custom Allocation. The reserved CIDR block is not allocated to cloud resources.
Enter a CIDR block or click an available area of a provisioned CIDR block. You can add multiple CIDR blocks.

Release an address allocation

On the product page of the target address pool, click the Allocation tab. Find the target allocation and click Release in the Actions column.

You can release allocations of the VPC and custom allocation types.
When you release an allocation of the VPC type, only the allocation relationship between the VPC and the address pool is removed. The VPC is not deleted.

API

Create a VPC with IPAM

Allocate an IPv4 CIDR block: When you call the CreateVpc operation, specify Ipv4IpamPoolId to use an IPAM pool and specify Ipv4CidrMask to allocate an IPv4 CIDR block from the IPAM pool to the new VPC. You can also specify CidrBlock to use a specific CIDR block for the VPC instead of automatically allocating one.
Allocate an IPv6 CIDR block: When you create the VPC, you can also specify Ipv6IpamPoolId and Ipv6CidrMask to allocate an IPv6 CIDR block from the specified IPv6 address pool to the VPC.

Add a secondary CIDR block to an existing VPC

Add an IPv4 CIDR block: Call the AssociateVpcCidrBlock operation. Specify IpamPoolId to use an IPAM pool and specify SecondaryCidrMask or SecondaryCidrBlock.
Add an IPv6 CIDR block: Call the AssociateVpcCidrBlock operation. Specify IpamPoolId to use an IPAM pool and specify Ipv6CidrMask or IPv6CidrBlock.

Create a custom allocation

Call the CreateIpamPoolAllocation operation to create a custom allocation from an IPAM pool and reserve a specific CIDR block.

Release an allocation

Call the DeleteIpamPoolAllocation operation to release an address allocation from an IPAM pool.

Terraform

Terraform does not support allocating IPv6 CIDR blocks to VPCs from IPAM.

Resources: alicloud_vpc, alicloud_vpc_ipv4_cidr_block, and alicloud_vpc_ipam_ipam_pool_allocation

# Specify the region where the IPAM pool resides.
provider "alicloud" {
  region = "cn-hangzhou"
}

# Specify the ID of the IPAM pool.
variable "ipam_pool_id" {
  default = "ipam-pool-bp10******" # Replace with the actual ID of the IPAM pool.
}

# Create a VPC and allocate a primary CIDR block to the VPC.
resource "alicloud_vpc" "example_ipam_vpc" {
  vpc_name          = "example_ipam_vpc_name"
  ipv4_ipam_pool_id = var.ipam_pool_id # Specify the ID of the IPAM pool.
  ipv4_cidr_mask    = 24               # The IPv4 network mask.
}

# Allocate a secondary CIDR block to the VPC.
resource "alicloud_vpc_ipv4_cidr_block" "example_secondary_cidr_block" {
  vpc_id              = alicloud_vpc.example_ipam_vpc.id # Specify the ID of the VPC.
  ipv4_ipam_pool_id   = var.ipam_pool_id                 # Specify the ID of the IPAM pool.
  secondary_cidr_mask = 20                               # The IPv4 network mask.
}

# Create a custom allocation.
resource "alicloud_vpc_ipam_ipam_pool_allocation" "example_ipam_pool_allocation" {
  ipam_pool_allocation_name = "example_ipam_pool_allocation_name"
  ipam_pool_id              = var.ipam_pool_id # Specify the ID of the IPAM pool.
  cidr                      = "10.0.160.0/22"  # Reserve the specified CIDR block.
}

Restrict VPC CIDR block allocation from IPAM address pools

In a multi-account environment, CIDR block conflicts can cause connectivity issues if business accounts independently create VPCs and randomly allocate private CIDR blocks. To prevent this, you can use a management account to create a control policy and attach it to a folder or member. This policy restricts business accounts to allocating VPC CIDR blocks only from shared IPAM pools. IPAM ensures that the allocated CIDR blocks do not overlap, which prevents address conflicts when VPCs are interconnected.

Control policies apply to all Resource Access Management (RAM) users and RAM roles of members in a resource directory, but not to the root users of the members. The management account of a resource directory is external to the resource directory. Therefore, control policies do not apply to any identities within the management account.

Control policy 1: Restrict users to creating VPCs and adding secondary CIDR blocks to VPCs from address pools

{
  "Statement": [
    {
      "Action": [
        "vpc:CreateVpc",
        "vpc:AssociateVpcCidrBlock"
      ],
      "Resource": "*",
      "Effect": "Deny",
      "Condition": {
        "Null": {
          "vpc:Ipv4IpamPoolId": "true"
        }
      }
    }
  ],
  "Version": "1"
}

Control policy 2: Restrict users to creating VPCs from a specific address pool

To create a VPC, users must select an IPAM pool that matches the value of "vpc:Ipv4IpamPoolId".

{
  "Statement": [
    {
      "Action": [
        "vpc:CreateVpc"
      ],
      "Resource": "*",
      "Effect": "Deny",
      "Condition": {
        "StringNotEquals": {
          "vpc:Ipv4IpamPoolId": "ipam-pool-0123456789abcdefg"
        }
      }
    },
    {
      "Action": [
        "vpc:CreateVpc"
      ],
      "Resource": "*",
      "Effect": "Deny",
      "Condition": {
        "Null": {
          "vpc:Ipv4IpamPoolId": "true"
        }
      }
    }
  ],
  "Version": "1"
}

Control policy 3: Restrict users to creating VPCs and adding secondary CIDR blocks to VPCs from a specific address pool

When creating a VPC, select an IPAM pool that matches the value of "vpc:Ipv4IpamPoolId".
When adding a secondary CIDR block, select Allocated By IPAM and use an IPAM pool that matches the value of "vpc:Ipv4IpamPoolId".

{
  "Statement": [
    {
      "Action": [
        "vpc:CreateVpc",
        "vpc:AssociateVpcCidrBlock"
      ],
      "Resource": "*",
      "Effect": "Deny",
      "Condition": {
        "ForAllValues:StringNotLikeIfExists": {
          "vpc:Ipv4IpamPoolId": "ipam-pool-0123456789abcdefg"
        }
      }
    }
  ],
  "Version": "1"
}

Use resource discovery to view address usage

Allocating addresses from a planned IPAM pool ensures that the CIDR blocks allocated to VPCs comply with business rules. For existing VPC and vSwitch resources, and for VPCs created independently of IPAM, you can use resource discovery to view all VPC and vSwitch CIDR blocks.

VPCs created using IPAM have a management status of Hosted, whereas existing resources and new resources created without IPAM have a management status of Not hosted. If a resource meets the required rules and is imported into an address pool, its management status changes to Hosted.

Manage addresses using resource discovery

Resource discovery continuously finds and tracks the IP address usage of VPC and vSwitch CIDR blocks within the Effective Region. After you associate a resource discovery with an IPAM instance, the IPAM instance centrally manages the discovered CIDR blocks.

1. The applicable scope of a default resource discovery is the same as that of the IPAM instance and cannot be modified.

2. Resource discovery is updated every 5 minutes.

When you create an IPAM instance, the system creates a default resource discovery and associates it with the IPAM instance. VPC CIDR blocks that meet the following rules are automatically imported into the corresponding address pool for unified management:
- Only unallocated CIDR blocks that are within the provisioned CIDR block of the address pool are imported.
- CIDR blocks are imported only into address pools for which Automatically Import Discovered Resource is enabled in the default scope.
- If multiple discovered CIDR blocks overlap, IPAM imports only the largest CIDR block.
- If multiple identical CIDR blocks are discovered, IPAM randomly imports one of them.
If no IPAM instance is created, you can create a custom resource discovery to track the IP address usage of VPC and vSwitch CIDR blocks. If an IPAM instance is later created in the managed region, the custom resource discovery is automatically converted into a default resource discovery.

Console

Create a resource discovery

When you create an IPAM instance, the system creates a default resource discovery and associates it with the IPAM instance.
If no IPAM instance is created, you can create a custom resource discovery.
1. Go to the IPAM console - Resource Discovery page. In the top navigation bar, select the region where you want to create the resource discovery. This region becomes the managed region of the resource discovery. Then, click Create Resource Discovery.
2. You can add other Effective Region in addition to the managed region. The resource discovery keeps finding VPC and vSwitch CIDR blocks in the Effective Region.
3. After the resource discovery is created, you can add or remove applicable scopes. However, the managed region cannot be removed.
After the resource discovery is created, you can view the IP address usage of VPC and vSwitch CIDR blocks in the Effective Region on the Discovered Resource tab of the resource discovery product page.

Delete a resource discovery

Default resource discovery: You can delete a default resource discovery only by deleting the IPAM instance.
Custom resource discovery: Find the custom resource discovery and click Delete in the Actions column.

API

If no IPAM instance is created:

Call the CreateIpamResourceDiscovery operation to create a custom resource discovery.
Call the DeleteIpamResourceDiscovery operation to delete a custom resource discovery.

Terraform

If no IPAM instance is created, you can create a custom resource discovery.

Resource: alicloud_vpc_ipam_ipam_resource_discovery

# Specify a region where no IPAM instance is created and a custom resource discovery can be created.
provider "alicloud" {
  region = "cn-shanghai"
}

resource "alicloud_vpc_ipam_ipam_resource_discovery" "example_ipam_resource_discovery" {
  operating_region_list               = ["cn-shanghai"]     # Specify the applicable scope of the IPAM resource discovery.
  ipam_resource_discovery_name        = "example_ipam_resource_discovery_name"
}

Use shared resource discovery for unified address management

If business accounts use unplanned CIDR blocks to create resources, address conflicts can occur. A network administrator can associate an IPAM instance with a resource discovery shared by a business account to centrally manage resources across multiple accounts and resolve address conflicts.

Both default and custom resource discoveries can be shared.

Permissions of resource owners and principals

Feature	Resource owner (business account in this example)	Principal (network administrator in this example)
Associate a resource discovery with an IPAM instance	Supported	Supported
Dissociate a resource discovery from an IPAM instance	Supported	Supported
Modify a resource discovery	Supported	You can modify only the name, description, and resource group of the resource discovery. The resource owner and principal can independently set the name, description, and resource group of the resource discovery. By default, the name and description set by the resource owner are retained.
Delete a resource discovery	Supported after sharing is canceled.	Not supported
Query address resources associated with a resource discovery	Supported	Supported
Query accounts associated with a resource discovery	Supported	Support

The applicable scope of a shared resource discovery and the applicable scope of the network administrator's IPAM instance can be different, but their managed regions (creation regions) must be the same. If the applicable scopes are different:

The resource owner (business account in this example) and the network administrator can manage and view all resources within the applicable scope of the resource discovery.
After the network administrator associates the resource discovery with an IPAM instance, the administrator can manage only the resources within the applicable scope of the IPAM instance.

Console

This section describes how to share a resource discovery with any account. To share resources only within a resource directory, see Share resources within a resource directory.

Share a resource discovery

A business account shares a created resource discovery with a network administrator:
1. Go to the IPAM console - Resource Discovery page. In the top navigation bar, select the region where the target resource discovery is located. Click the ID of the target resource discovery or click Manage in the Actions column. On the Sharing Management tab, click Create Resource Share.
2. On the Create Resource Share page, follow the steps to configure resource sharing.
  1. Set Resources to IPAM Resource Discovery and select the IPAM resource discovery that you want to share.
  2. For an IPAM resource discovery, the associated permission is AliyunRSDefaultPermissionIpamResourceDiscovery.
  3. Set Principals to All Accounts. Set Add Principals to Add Manually. Enter the Alibaba Cloud account ID of the address pool principal as the principal ID and click Add.
  4. After you review the information, click OK at the bottom of the page.
Log on to the network administrator account and accept the sharing invitation:
1. Go to the Resource Sharing - Shared To Me page in the Resource Management console.
2. In the top navigation bar, select the region where the shared resource is located. Then, find the target resource share and click Accept in the Status column.
3. After the resource is shared, the network administrator can view information about the resources and address utilization of each business account.
The network administrator associates the shared resource discovery with an IPAM instance in the same managed region:
1. Go to the IPAM console - IPAM page. In the top navigation bar, select the region where the target IPAM instance resides. Click the ID of the target IPAM instance or click Manage in the Actions column. On the Associated Resource Discovery tab, click Associate Resource Discovery and select the resource discovery shared by the business account.
2. After the association is complete, the network administrator can centrally manage resources within the applicable scope of the IPAM instance. On the Resource Management tab of the IPAM Scope, you can view information such as address overlaps and utilization.

Dissociate an IPAM instance from a resource discovery

Only actively established associations can be canceled. A default resource discovery that is created and associated when an IPAM instance is created cannot be dissociated.

On the Associated Resource Discovery tab of the target IPAM instance, find the target resource discovery and click Dissociate in the Actions column. After you dissociate the resource discovery, the IPAM instance can no longer manage the address resources found by the resource discovery.

Cancel sharing a resource discovery

Use the business account. On the Sharing Management tab of the Resource Discovery product page, click the target Resource Share to go to the product page. Then, select Delete Resource Share.

Even if the network administrator has associated the resource discovery with an IPAM instance, the business account can cancel the sharing. After the cancellation, the association is automatically deleted.

API

Share a resource discovery

Share a resource discovery with any account
1. Use the identity credentials of the business account to call the CreateResourceShare operation to create a resource share. Make sure that the AllowExternalTargets parameter is set to True.
2. Use the identity credentials of the network administrator to call the ListResourceShareInvitations operation to query for received resource sharing invitations, and then call the AcceptResourceShareInvitation operation to accept the invitation.
Share a resource discovery only within a resource directory
1. Use the identity credentials of the management account of the resource directory to call the EnableSharingWithResourceDirectory operation to enable resource sharing for the resource directory.
2. Use the identity credentials of the business account to call the CreateResourceShare operation to create a resource share. Make sure that the AllowExternalTargets parameter is set to True.
Use the identity credentials of the business account to call the DeleteResourceShare operation to delete a resource share and cancel sharing the resource discovery.

Associate a resource discovery with an IPAM instance

Call the AssociateIpamResourceDiscovery operation to associate a resource discovery with an IPAM instance.
Call the DissociateIpamResourceDiscovery operation to dissociate a resource discovery from an IPAM instance.

Terraform

Terraform does not support sharing resource discoveries.

Resource monitoring

Monitor address utilization

Monitor address utilization to scale out resources with high utilization in a timely manner.

Monitor the address utilization of an address pool: Go to the IPAM console - IPAM Pool page and click the ID of the target address pool.
- On the Details tab, you can view the number of available IP addresses in the address pool and the number of IP addresses allocated to resources and sub-pools. If the target address pool is a sub-pool, you can also view the address utilization of both the sub-pool and its source pool.
- On the IP Address Usage and Allocation tabs, you can view the specific allocation details of the address pool.
Monitor the address utilization of VPCs and vSwitches:
- Go to the IPAM console - Resource Discovery page. Click the ID of the target resource discovery to view the CIDR blocks and IP address usage of all VPCs and vSwitches in the applicable scope.
- Go to the IPAM console - IPAM Scope page and click the ID of the target scope.
  - On the Resource Management tab, you can view the CIDR blocks and address utilization of VPCs and vSwitches within this scope. Click the ID of a target VPC or vSwitch to view its IP address usage.
  - On the Monitoring Charts tab, you can monitor the address utilization of VPCs and vSwitches within this scope over time using line charts.

Monitor address overlaps

Monitor address overlaps to proactively discover and resolve address conflicts, which helps prevent access conflicts during network interconnection.

Go to the IPAM console - IPAM Scope page and click the ID of the target scope.

On the Resource Management tab, you can view the overlap status of VPC and vSwitch CIDR blocks within this scope. If CIDR blocks overlap, you can click View in the Overlap Status column to see the specific instances that conflict with the current resource.
On the Monitoring Charts tab, you can monitor the number of overlapping CIDR blocks within this scope over time using line charts.

Monitor the management status and compliance of CIDR blocks

Go to the IPAM console - IPAM Scope page. Click the ID of the target scope. On the Overview, Resource Management, and Monitoring Chart tabs, you can check if a CIDR block is managed (allocated from an IPAM pool) and compliant (complies with the allocation rules of the IPAM pool).

More information

Billing

IPAM is in public preview. It is free of charge during the public preview period.

Quotas

Quota name	Description	Default quota	Increase quota
ustom_ipam_resource_discovery_quota_per_region	The number of custom resource discoveries that can be created by an Alibaba Cloud account in a region.	1	Cannot be increased
resource_share_quota_per_ipam_resource_discovery	The number of resource shares that can be created for each resource discovery.	100
shared_ipam_resource_discovery_quota_per_user	The number of shared resource discoveries that a user can have.	100